The popular PremiSys access control system, which is used by Fortune 500 companies, universities, medical centres and government agencies to secure their offices, has been found to contain zero-day vulnerabilities that could allow criminals to enter restricted spaces by creating fraudulent badges and disabling building locks.
The PremiSys access control system, a product of US-based IDenticard whose ID badging programmes and identification solutions, ID card accessories, Visitor Management systems and access control systems are used by tens of thousands of firms worldwide, has been found featuring four zero-day vulnerabilities that can be exploited by cyber criminals to access the badge system database and gain covert access to premises of targeted organisations.
IDenticard's PremiSys access control system allows customers to connect to and monitor their access control system from anywhere. Controls include locking and unlocking doors remotely, responding to and clearing alarms, adding new cardholders, and viewing surveillance video feeds from smartphones.
Critical vulnerabilities yet to be patched
According to security firm Tenable Inc, the PremiSys access control system features as many as four zero-day vulnerabilities, fixes to which may not be available as IDenticard did not respond to the firm's alerts. As such, individual users will have to deploy mitigation tools to prevent a breach until IDenticard comes up with a software update to patch all the highlighted vulnerabities.
The vulnerability CVE-2019-3906 refers to the fact that the software contains hardcoded credentials and allows the administrator access to the entire service via the PremiSys Windows Communication Foundation (WCF) Service endpoint. These credentials cannot be changed by individual users and can be usd by attackers to dump contents of the badge system database, modify contents, or other various tasks with unfettered access.
Researchers at Tenable also found that the access control software stores user credentials and other sensitive information with a known-weak encryption method that can be easily breached, and that Identicard backups are stored in a password-protected zip file with the password hardcoded into the application.
The researchers also found that whenever an organisation installs the PremiSys access control system, employees need to type in a default username/password combination (PremisysUsr/ID3nt1card) to start using it. There is also a longer password option which is also a default one (ID3nt1cardID3nt1card) but organisations can only replace them with unique passwords by sending custom passwords to the vendor directly in order to receive an encrypted variant to use in their configurations.
Need for a wider dialogue within the security industry
"An organisation’s security purview is no longer confined by a firewall, subnets, or physical perimeter — it’s now boundaryless. This makes it critically important for security teams to have complete visibility into where they are exposed and to what extent,” said Renaud Deraison, co-founder and chief technology officer, Tenable.
"Unfortunately, many manufacturers in the new world of IoT don’t always understand the risks of unpatched software, leaving consumers and enterprises vulnerable to a cyber attack. In this case, organisations that use PremiSys for access control are at a huge risk as patches are not available.
"Beyond this particular issue, the security industry needs to have a wider dialogue about embedded systems and their maintainability over time. The complexity of the digital infrastructure is increasing, and so is its maintenance. We need vendors to be committed to delivering security patches in a timely manner, and in a fully automated way," he added.